[00:06.280 --> 00:11.340]  Welcome to the Aerospace Village at DEF CON Safe Mode. My name is Kaylin Tricon. I'm the Director
[00:11.340 --> 00:16.400]  of Communications at the Aerospace Village and Vice President at RockSolutions, a public affairs
[00:16.400 --> 00:21.560]  agency where I lead the firm's cybersecurity practice. I am thrilled to be moderating this
[00:21.560 --> 00:26.940]  panel on Hacking Cybersecurity Aerospace Regulation. The aerospace industry is highly
[00:26.940 --> 00:31.780]  regulated with a great deal of focus on cybersecurity. Aerospace regulators play a key
[00:31.780 --> 00:37.320]  role in understanding risk and putting in place the legal frameworks in creating rules, regulations,
[00:37.320 --> 00:41.760]  and best practice around good faith research. Today's panel will look at how the aerospace
[00:41.760 --> 00:47.160]  industry is approaching cybersecurity regulation and its relationship to good faith hackers and
[00:47.160 --> 00:51.620]  researchers. We will look at how other sectors have approached regulation and partnered with
[00:51.620 --> 00:56.040]  this community to increase resilience and highlight vulnerability. Now I'd like to
[00:56.040 --> 01:03.460]  introduce our esteemed panelists. Nikki, will you kick us off? Sure, so my name is Nikki Keeley.
[01:03.460 --> 01:08.450]  I'm the Head of Cybersecurity at the oversight of the UK Civil Aviation Authority.
[01:09.180 --> 01:15.540]  So I work for the UKCA and as the UK's aviation regulator, we're responsible for overseeing the
[01:15.540 --> 01:21.940]  implementation of cyber requirements in regulation for regulated aviation organizations. So that could
[01:21.940 --> 01:26.520]  vary from airlines, through to airports, through to air navigation service providers,
[01:26.520 --> 01:31.480]  or even drone operators. And it's really important for us that we have a proportionate and effective
[01:31.480 --> 01:37.560]  approach and that most importantly we enable aviation to manage their own cyber security risks
[01:37.560 --> 01:42.100]  without compromising aviation safety, security, or resilience.
[01:43.760 --> 01:50.720]  Thanks. Harley? Hi, I'm Harley Geiger and I'm Director of Public Policy at Rapid7.
[01:54.180 --> 02:00.600]  With offices around the world. I'm in the DC area and I run Rapid7's public policy and government
[02:00.600 --> 02:06.520]  engagement activities. I've worked in privacy and cyber security technology policy and law
[02:07.200 --> 02:12.260]  for about 10 years and I'm excited to be here. Thanks for having me.
[02:12.400 --> 02:19.120]  Thanks. And Saulo? Well, thanks Katelyn for the invitation. My name is Saulo da Silva.
[02:19.120 --> 02:27.780]  I work for ICAO. ICAO is the United Nations Agency responsible for the regulatory framework
[02:27.780 --> 02:34.500]  of aviation on a global basis. I'm particularly chief of the global interoperable systems section.
[02:34.500 --> 02:40.480]  It's a weird name, but basically what we do is take care of regulations regarding
[02:40.480 --> 02:45.420]  information management, operational and safety critical information management,
[02:45.420 --> 02:52.920]  including the aspects related to cyber safety and resilience. Basically keep the system going
[02:52.920 --> 03:00.440]  no matter the type of problem that may happen coming from our new actors. Thank you.
[03:01.640 --> 03:07.240]  Thanks, Saulo. All right, let's get started. I think it only makes sense to start with where
[03:07.240 --> 03:12.900]  the industry is right now when it comes to aerospace cyber security regulation. Nikki,
[03:12.900 --> 03:17.540]  I know that the UK has made significant strides when it comes to building bridges between security
[03:17.540 --> 03:23.900]  researchers and industry and how that helps drive regulation. I'd love if you could kick us off and
[03:23.900 --> 03:30.920]  talk a little bit about that evolution and where the UK is today. Sure, thanks. I don't know about
[03:30.920 --> 03:36.540]  significant strides. I think we are starting to build the bridge, which is positive. So
[03:37.160 --> 03:41.140]  in terms of lessons learned, I'd say the first hurdle that we really had to overcome
[03:41.140 --> 03:47.520]  was this misconception that all a regulator wants to do is fine people, which is absolutely not the
[03:47.520 --> 03:52.920]  case. At the end of the day, we're all here for the same reason. We know that our industry and
[03:52.920 --> 03:57.620]  good faith hackers ultimately want to make aviation safer and more resilient. So I think
[03:57.620 --> 04:03.480]  it's about breaking down that misconception. I think the second hurdle is around how do you
[04:03.480 --> 04:09.100]  actually report? What mechanisms do you give individuals and good faith hackers to actually
[04:09.100 --> 04:14.800]  report things? And we're lucky in one sense. In Europe, there's a regulation which is focused on
[04:14.800 --> 04:21.300]  what we call mandatory involuntary occurrence reporting. So that's all about making sure that
[04:21.300 --> 04:27.300]  safety information is reported, that it's collected, protected, analyzed, so that appropriate safety
[04:27.300 --> 04:32.600]  action can be taken. And where there's a cyber vulnerability or a cyber incident, and that would
[04:32.600 --> 04:38.380]  impact on those safety critical environments, then we believe that it's really important that
[04:38.380 --> 04:43.820]  that information should be reported and acted on. And for organizations who aren't in scope of
[04:43.820 --> 04:48.860]  that regulation, I just mentioned, then we also have a whistleblowing option available in the UK
[04:48.860 --> 04:54.360]  under the Public Interest Disclosure Act. So that's all available on our website. So I think
[04:54.360 --> 04:59.020]  the starting to build that bridge was making sure that it was clear that we want people to
[04:59.020 --> 05:04.820]  get into contact. It's not about taking punitive action. It's about starting that dialogue and
[05:04.820 --> 05:09.320]  conversation, and then showing that there's a mechanism for them to be able to do that,
[05:09.320 --> 05:16.200]  and making those options available for contact. So I think that's really important for us.
[05:16.460 --> 05:20.640]  That's great, Nikki. Has there been any significant challenges in communicating that message
[05:20.640 --> 05:24.060]  to the community? Do you think that's where the hurdle lies?
[05:24.540 --> 05:29.940]  Yeah, I think it's, you know, all regulators are different. I can only talk about aviation,
[05:30.460 --> 05:34.280]  but different regulators might have different approaches. And I think it has been about how
[05:34.280 --> 05:40.240]  do you get that message out there? And I think that's been developing slowly through our
[05:40.240 --> 05:45.680]  relationship with industry. We started to build a really positive relationship with our industry.
[05:45.960 --> 05:51.780]  You know, we've tried to make it clear that we want them to engage with us and collaborate with
[05:51.780 --> 05:57.700]  us. And that it's not the case of never having a cyber incident. We expect that organizations
[05:57.700 --> 06:02.760]  will have cyber incidents, and will find vulnerabilities. And it's more about, you know,
[06:02.760 --> 06:08.900]  following what we call just culture in the safety sense, and reporting those that they can be fixed.
[06:10.600 --> 06:17.500]  Thanks. And just keeping with, you know, laying the landscape out, Saulo, from a global perspective,
[06:17.500 --> 06:22.500]  how do you think states are dealing with the challenge of aerospace cybersecurity regulation?
[06:22.540 --> 06:26.080]  You know, what are some of the greatest challenges you think the industry faces?
[06:27.740 --> 06:34.360]  Thanks, Kayleigh. You mentioned actually two important words here, that regulations and
[06:34.680 --> 06:42.360]  a challenge. And I would put a little bit of spice and add one more, that is interoperability.
[06:42.360 --> 06:48.620]  That for us in the aviation industry, is actually a bigger problem than just cybersecurity
[06:49.360 --> 06:53.640]  regulation. It's really, it's really, how can I say, it's a problem of
[06:54.440 --> 07:01.980]  divergence. So when we talk about unity in aviation in ICAO for the future, we need to
[07:01.980 --> 07:08.880]  consider the impact of this digital transformation that is happening, and that we are living right
[07:08.880 --> 07:15.500]  now, this digital evolution. And it's something that comes because we have several economic
[07:15.500 --> 07:23.140]  drivers that are basically encouraging this digital transformation of the business. So
[07:23.640 --> 07:31.740]  this will happen if we want or not. And we have to be prepared for that. We have
[07:31.740 --> 07:36.920]  to have this increased digital data and information exchange. We know that this is
[07:36.920 --> 07:43.140]  necessary to guarantee not only safety, but also to improve the efficiency of the system.
[07:43.140 --> 07:51.720]  And of course, we know that everybody's taking actions to secure their part of the system.
[07:51.720 --> 07:58.440]  But as I mentioned before, it's a problem of divergence. So one example of a divergent
[07:58.440 --> 08:05.420]  digital process, we can say that, for example, manufacturers who needed to upload software
[08:05.420 --> 08:13.200]  critical parts onto their craft, they are doing everything they should do to secure, for example,
[08:13.900 --> 08:24.340]  the supply chain and to guarantee that they have a certified identity and the integrity of the data
[08:24.340 --> 08:32.260]  being uploaded. So if you, for example, want to connect to the cockpit of the aircraft,
[08:32.260 --> 08:38.560]  you will do the same thing. You take the actions to connect on a secure way. If you want to connect
[08:38.560 --> 08:44.240]  to the back of the airplane, also you're going to do things to connect to the back using a
[08:44.960 --> 08:50.980]  different certificate system. So if you are one manufacturer of avionics, for example, and if you
[08:50.980 --> 08:58.740]  are using different ways to connect it to the supply chain or to the equipments on board,
[08:58.740 --> 09:04.560]  we know, for example, also airports. Airports are also establishing their system to guarantee
[09:04.560 --> 09:12.900]  the security of the operation. So basically, you have everybody doing what they think is correct,
[09:12.900 --> 09:22.820]  what they need to do. So we are going to a point that we are finding ourselves with thousands of
[09:22.820 --> 09:29.000]  different certificates floating around the ecosystem with little or sometimes completely
[09:29.000 --> 09:36.280]  no compatibility. And that's when the issue of compatibility or interoperability comes.
[09:36.280 --> 09:44.480]  And we believe that these certificates, they, like other things, they have to be maintained
[09:44.480 --> 09:51.560]  along hundreds of different processes and procedures. And the big challenge is to create
[09:53.240 --> 09:59.660]  a convergence on all these important activities that are being taken nowadays.
[10:00.220 --> 10:05.920]  I don't want to say in an uncoordinated way, but in a very loose way. So the challenge for
[10:05.920 --> 10:14.240]  the states right now is to have a global harmonized regulations through coordination
[10:14.240 --> 10:19.180]  and cooperation. The coordination and cooperation to face this challenge to have a global
[10:20.360 --> 10:26.380]  harmonized regulatory framework is really necessary because aviation is international by
[10:26.740 --> 10:32.120]  default. Airplanes do not recognize borders. I keep saying that we have checkpoints on the ground,
[10:32.120 --> 10:38.120]  but we don't have checkpoints in the air. So cooperation and coordination to develop a
[10:38.120 --> 10:43.280]  harmonized set of regulations is a big challenge that states are facing right now.
[10:43.280 --> 10:48.100]  And, you know, that's a really interesting point is that challenge of it being so global
[10:48.660 --> 10:53.720]  and each kind of state having its own rules, regulations, you know, that framework that
[10:53.720 --> 10:58.180]  you're talking about. Are we currently in a process where that's being discussed and worked
[10:58.180 --> 11:05.100]  on? Or is it still in the stages of, you know, it would be a nice to have and we need to work on it?
[11:05.980 --> 11:10.020]  From an international perspective, the International Civil Aviation Organization
[11:10.020 --> 11:15.980]  is working on that with the help, obviously, from the states, because that's where the expertise
[11:15.980 --> 11:23.400]  relies. And we have Nikki here with us, who is helping us a lot on that subject. But this effort
[11:23.400 --> 11:30.580]  is already ongoing. It's not an easy effort. As you mentioned, we have a challenge because we have
[11:30.580 --> 11:38.700]  national security requirements, we have national culture, we have national ways of trust. And
[11:38.700 --> 11:46.300]  when we have to expand this to a global environment, it keeps us awake. But we are
[11:46.300 --> 11:53.660]  sure that cooperation and coordination with the help from experts from the states like Nikki,
[11:53.660 --> 11:57.760]  who is here with us, we will face and we will win that challenge.
[11:57.760 --> 11:59.800]  We'll get there, Zalo. We'll get there eventually.
[12:01.220 --> 12:02.140]  Yeah, let's do it.
[12:02.140 --> 12:06.460]  Do you have anything to add to that, just from your perspective?
[12:06.460 --> 12:13.280]  Yeah, I think Zalo raises a really good point. And sometimes it's easy to forget this. I did
[12:13.280 --> 12:19.440]  cyber for an operator back in the day before I joined the regulator. And sometimes you can think
[12:19.440 --> 12:24.000]  of it just in terms of that one organization. But when you're having to talk about regulations and
[12:24.000 --> 12:28.680]  international frameworks and standards, and you have to think about what's proportionate and
[12:28.680 --> 12:35.300]  appropriate, not just for me as the state, all of the airports of all sizes that we regulate. But
[12:35.300 --> 12:40.800]  if you look at it from Zalo's perspective, at an international level, for all the states,
[12:40.800 --> 12:45.600]  all the organizations, all the aviation entities, it does become a challenge.
[12:45.600 --> 12:49.420]  But I think the work is well underway. So I'm hopeful.
[12:50.960 --> 12:57.640]  That's great. Thank you both. And I'm just turning to Harley. We've talked a little bit
[12:57.640 --> 13:01.940]  about building bridges between the security researcher community and regulators in order
[13:01.940 --> 13:07.120]  to help the disclosure process, help things become more transparent and safe and effective.
[13:07.120 --> 13:11.220]  And, you know, can you talk a little bit just about, you know, the current disclosure process
[13:11.220 --> 13:16.680]  and environment for security researchers when it comes to this in this particular industry?
[13:18.560 --> 13:29.660]  Sure. So, overall, the security vulnerability disclosure environment is greatly improving.
[13:30.460 --> 13:34.320]  There's a lot more adoption of coordinated vulnerability disclosure within government
[13:34.320 --> 13:41.560]  agencies for themselves, recognition that it is valuable in industries, in the different sectors
[13:41.560 --> 13:47.880]  that those agencies regulate. And it is becoming more accepted as a basic cybersecurity practice,
[13:47.880 --> 13:52.660]  both in the United States and I would say internationally. And two great examples of
[13:52.660 --> 14:00.840]  agencies that are doing this are the FDA and the Department of Justice, CISA within DHS.
[14:00.840 --> 14:08.020]  Within the aviation industry, our experience is that it is not yet quite normalized. It is still
[14:08.020 --> 14:14.120]  somewhat difficult. And there is a, I think, in part because it is such a highly regulated industry,
[14:14.120 --> 14:21.640]  and because the potential negative effects on the industry of undermining passenger confidence can
[14:21.640 --> 14:28.300]  be so negative, so catastrophic. And unfortunately, we have a media environment that when
[14:28.300 --> 14:36.360]  it comes to anything related to aircraft safety, tends to sensationalize it. But in part for these
[14:36.360 --> 14:43.040]  reasons, our experience is that aviation has a ways to catch up. And it's unfortunate because
[14:43.040 --> 14:46.960]  there is a great deal of innovation that is happening in aviation right now. And the systems
[14:46.960 --> 14:53.940]  that are put in place in the sky and satellites, a lot of them stay in place for many years,
[14:53.940 --> 15:00.420]  as long as a generation. And so you have rapid innovation where security issues might be missed.
[15:00.420 --> 15:05.680]  And then you have equipment that stays in operation for a very long time. And then you
[15:05.680 --> 15:11.560]  have legacy issues with those security problems. So we think that this is an area where security
[15:11.560 --> 15:17.300]  research can really play a valuable role. But it is important to integrate security researchers
[15:17.300 --> 15:25.380]  and cybersecurity community into the manufacturer design. And once they're deployed,
[15:25.380 --> 15:35.740]  the vulnerability disclosure processes. Thanks. You brought up a point about just sensationalization
[15:36.500 --> 15:42.820]  and how the media, you know, can catch wind, or certain entities catch wind and kind of make this
[15:42.820 --> 15:48.820]  out to be something bigger than it actually is to kind of get the headlines and get the hype.
[15:49.060 --> 15:55.720]  Do you think that that is a barrier when it comes to wanting to disclose? Or do you think that
[15:55.720 --> 16:00.600]  there's kind of two tracks where people want the flash and they want the publicity, so they
[16:00.600 --> 16:05.460]  they do kind of make it a little bit more sensationalized than it is? Or do you think
[16:05.460 --> 16:12.060]  there's also that, I don't want to say anything because I don't want that to happen. I don't want
[16:12.060 --> 16:17.900]  my words to be misconstrued and turned into this sensationalized like, oh, you can get into the
[16:17.900 --> 16:24.600]  to the TV on the plane and it's going to crash down. So our impression is that it's both. You
[16:24.600 --> 16:30.360]  know, it depends on the individual researcher, their risk tolerance and sort of what their goals are.
[16:30.380 --> 16:37.040]  If there is a legitimate vulnerability in an aircraft, I don't think that sensationalism is
[16:37.040 --> 16:44.220]  really necessary in order to get headlines. And if you're just disclosing it for flash
[16:44.220 --> 16:49.220]  purposes and credibility purposes, then question whether you're disclosing it for the right reasons.
[16:49.220 --> 16:52.020]  That doesn't necessarily mean that it's not a security vulnerability and that there's not
[16:52.020 --> 16:57.120]  attention that should be paid to it, but it is really not the way to build trust. And it is,
[16:57.120 --> 17:03.200]  I think that it's also very much a barrier to engagement with the industry and the agencies
[17:03.200 --> 17:06.740]  with the security research community. So I think that there's work that has to be done on both
[17:06.740 --> 17:11.000]  sides. I will say that, you know, I don't want to let the agencies off the hook and just say that
[17:11.000 --> 17:18.120]  sensationalism is the issue. I mentioned the FDA, DOJ and other agencies earlier. Those agencies
[17:18.120 --> 17:22.200]  have made great strides in the past couple of years to engage a security research community,
[17:22.200 --> 17:27.380]  including attending DEF CON and just working within those agencies, areas of jurisdiction,
[17:27.380 --> 17:32.420]  like FDA for medical devices and DOJ, they're being more transparent on things like
[17:32.420 --> 17:38.380]  coordinated disclosure, prosecutions and researcher protection under DMCA.
[17:38.440 --> 17:45.140]  Shout outs to Leonard Bailey and Suzanne Schwartz. But FAA and the aviation industry
[17:45.880 --> 17:50.620]  have a ways to go. I know that there's good work on cybersecurity being done at FAA,
[17:50.620 --> 17:56.220]  like by Susan Kaebler, but they're not really being clear, in our opinion, publicly clear,
[17:56.220 --> 18:01.260]  that they care a lot about cybersecurity and that they want to build relationships with the
[18:01.260 --> 18:06.040]  cybersecurity community. It's just not clear. It's quite difficult right now to find much
[18:06.040 --> 18:12.220]  cybersecurity specific guidance on aviation systems from FAA, both on manned aircraft and
[18:12.220 --> 18:17.580]  unmanned aircraft. Unmanned aircraft being a huge area of concern since that is consumer level
[18:19.240 --> 18:24.260]  devices. And there's even less information out about how security researchers can work
[18:24.260 --> 18:32.420]  with these agencies. So our advice is twofold. One, for researchers to work to gain understanding
[18:32.420 --> 18:37.960]  about the unique context and pressures that the aviation industry is under, to be respectful,
[18:38.300 --> 18:43.540]  manage media to avoid sensationalism and work to build trust. But our advice also to the FAA
[18:43.540 --> 18:47.560]  is to encourage the aviation community to build bridges with the security community
[18:47.560 --> 18:52.840]  and to actually facilitate that engagement. Make clear that you are making an effort to bring in
[18:52.840 --> 18:57.880]  experts from the cybersecurity community, not just the aviation industry, for input on their
[18:57.880 --> 19:03.820]  guidance and their activities. Carly, thank you so much for that. You make a great point just about
[19:03.820 --> 19:10.420]  building trust. And you know, at the Aerospace Village, that is our core mission is to build
[19:10.420 --> 19:15.200]  the bridges of trust between the security researcher community and the aerospace industry
[19:15.200 --> 19:19.520]  itself to kind of formulate those relationships so that we can have these conversations.
[19:19.520 --> 19:25.160]  And so I'd like to kind of spend some time talking with you all about, you know, what we can do to
[19:25.160 --> 19:30.800]  forge those relationships in order to build that trust. You know, Nikki, I know in a prior
[19:30.800 --> 19:37.500]  conversation, we had talked about, you know, how in the UK industry has acted as, you know, a conduit
[19:37.500 --> 19:44.400]  between GoodFaith, the hacking community and the regulators. And, you know, I wonder if you think
[19:44.400 --> 19:50.620]  this approach is sustainable, or do you hope that that, you know, relationship evolves to where
[19:50.620 --> 19:54.720]  that community feels like they can go straight to the regulator? Because right now, it seems like
[19:54.720 --> 19:59.960]  if you have that conduit, it's working. But I wonder if you hope that it evolves so that they
[19:59.960 --> 20:05.820]  go directly to you. Yeah, that's a really good point, Caitlin. And I think Carly's raised some
[20:05.820 --> 20:12.020]  really good points as well. And at the moment, we have had reports come to us, largely through
[20:12.020 --> 20:19.460]  researchers or cyber specialists that have been asked by our industry to perform specific testing.
[20:19.580 --> 20:23.300]  And that's great, because that shows that we're building that relationship with our industry,
[20:23.300 --> 20:30.260]  that they trust us and want to report to us about issues like that. But going forward, I'd absolutely
[20:30.260 --> 20:36.140]  love to have the research community feel like they can get in touch with us. And I think
[20:36.140 --> 20:42.020]  importantly, and Harley, you mentioned, you know, customer confidence and passenger confidence,
[20:42.020 --> 20:48.620]  which I think is so important. And I think the media and sensationalism element doesn't help.
[20:48.620 --> 20:53.640]  And I have to admit that as a safety regulator, you know, we do get nervous. When it's safety
[20:53.640 --> 20:59.580]  critical systems, we do get nervous. So I think it's about how the reporting is done and how that
[20:59.580 --> 21:05.800]  engagement works. But for me, you know, my absolute perfect scenario would be to have early engagement
[21:05.800 --> 21:11.840]  with researchers. Like, you know, when you're planning on what research you want to be doing,
[21:11.840 --> 21:18.220]  having a good conversation then, because sometimes there are aviation contextual elements that might
[21:18.220 --> 21:22.740]  be helpful for the researcher to know about, because it might impact how they decide they
[21:22.740 --> 21:28.240]  want to do that research even. You know, there's an air navigation service provider guy that I talk
[21:28.240 --> 21:31.700]  to, and he always goes, well, Nikki, that's not an issue, because I can just look out the window.
[21:31.700 --> 21:36.140]  So sometimes there are, you know, non-technical, but aviation contextual elements that could be
[21:36.140 --> 21:42.740]  helpful in that research. So I think, you know, earlier the better. And it'd be great to be part
[21:42.740 --> 21:48.540]  of that discussion about focusing on areas that need more research, because either industry aren't
[21:48.540 --> 21:52.980]  able to do it themselves, or we aren't able to do that. And we need that research community to help
[21:52.980 --> 21:58.840]  with that. But to have those good conversations early on between the operators and the manufacturers
[21:58.840 --> 22:05.260]  and ourselves and the researchers, that can be kind of well planned. I was just thinking,
[22:05.260 --> 22:10.800]  so the Oxford University published a really great research paper on pilot reactions to
[22:10.800 --> 22:17.000]  hacked avionics, and had a great conversation with the researchers afterwards. And they were
[22:17.000 --> 22:21.280]  talking about ideas for the next research paper. And, you know, it's something we'd love to get
[22:21.280 --> 22:27.200]  involved in and help support, and see how we can, at the end of it, end up with a safer aviation
[22:27.200 --> 22:32.800]  environment. So I think that would be great. Nikki, I'm so glad you brought up that talk,
[22:32.800 --> 22:38.460]  as it is going to be featured, or that research is going to be featured in the Aerospace Village. So
[22:38.460 --> 22:44.400]  if you are interested, there will be a discussion and a presentation on that. So thank you for the
[22:44.400 --> 22:54.220]  plug. Salo, I do know that, and Pete Cooper tipped me off to this, that ICO has released a
[22:54.220 --> 22:58.480]  cybersecurity strategy. And in there, there's a line about security researchers, and how
[22:58.480 --> 23:03.920]  you'll work together. And just kind of curious to your thoughts about how that will work, and
[23:03.920 --> 23:11.140]  kind of what's being done to bring that to life. Thanks, Kaylee. And just before addressing that
[23:11.140 --> 23:16.640]  point, that is, it's very, it's such a good provocative question, actually. And I'm a
[23:16.640 --> 23:22.480]  researcher myself, so I like that point, because I'm playing on both sides. But just to
[23:22.480 --> 23:27.800]  just add one point that Harley mentioned before, I think sometimes we don't have much information
[23:27.800 --> 23:34.200]  nowadays about aviation, and the cyber aspects related to aviation, because lots of the concepts
[23:34.200 --> 23:41.580]  and decisions are still to be made. There are lots of ongoing developments right now, lots of,
[23:41.580 --> 23:47.920]  let's call, like we call in IKEA, some uncertainties. And sometimes it's better not to
[23:48.500 --> 23:55.080]  to spread some information that's not mature to the community, because it may create lots of
[23:55.080 --> 24:00.860]  confusions. So we try to spread the information. I'm not trying to defend FAA. I'm just saying
[24:00.860 --> 24:06.800]  that sometimes we do not spread the information, just to avoid the creation of a situation that
[24:07.380 --> 24:13.480]  may actually not be helpful to our system. But coming back to what you said, and I mentioned
[24:13.480 --> 24:19.900]  to you that it's a very provocative question, and I can't, honestly, I hope I can be short
[24:19.900 --> 24:26.180]  in my answer, although I really think that this would be the specific discussion. I'm going to
[24:26.180 --> 24:32.660]  talk about research and trust. It's a specific discussion that needs to start, that needs to
[24:32.660 --> 24:40.240]  have. And I would start just making a small statement, or what you call an observation,
[24:40.240 --> 24:47.440]  on how, and I think Nick mentioned that point, or you mentioned too, and how trust affects
[24:47.440 --> 24:53.820]  that relationship between different stakeholders. Because this is really important to be aware. And
[24:53.820 --> 25:03.400]  we see trust like a form of faith in the outcome of another's actions. So we have to think about
[25:03.400 --> 25:11.600]  that. Trust exists in a context of kind of imperfect knowledge, like not mature or imperfect
[25:11.600 --> 25:19.180]  knowledge, and also thinking about a possible future contingency. And as I said, you know,
[25:19.180 --> 25:28.580]  it is a form of belief despite uncertainties. That's how we see trust. And also, since the
[25:28.580 --> 25:34.660]  beginning of the century, but in all modern society, trust has been conceived as a mechanism
[25:34.660 --> 25:40.260]  that will help us to reduce the bureaucracy, the complexity, and enhance, obviously,
[25:40.260 --> 25:50.680]  communications between or among different stakeholders. And also, we can use the trust
[25:50.680 --> 26:00.380]  to reduce the need of a very strict regulation, like a contract, for example. So in the
[26:00.380 --> 26:08.120]  international aviation, there is a very sensitive ecosystem. You know, aviation,
[26:08.300 --> 26:17.580]  it goes to the headlines. You know, aviation, the media does not forgive us. The small incident
[26:17.580 --> 26:23.700]  goes to the first page, goes to any media headline. So we have to be
[26:25.600 --> 26:32.300]  conscious that the ecosystem is really sensitive to that. And we see in aviation,
[26:32.620 --> 26:39.320]  from an international perspective, the human element of it is the core, is in the core,
[26:39.320 --> 26:45.760]  at the core of cybersecurity. It is critically important for the international aviation
[26:45.760 --> 26:52.880]  community that, obviously, the civil aviation sector increases the number of personnel that
[26:52.880 --> 27:00.460]  is qualified and knowledgeable in both, and Harley correctly mentioned, that's not only aviation,
[27:00.460 --> 27:06.040]  but also aviation and cybersecurity. And this is a new area that is coming now. For example,
[27:06.040 --> 27:10.760]  I have to be honest, I'm 36 years in aviation, so I know a lot about aviation. I know a lot
[27:10.760 --> 27:15.960]  about aviation. But the last five years, that's when I started learning about cybersecurity,
[27:15.960 --> 27:21.140]  actually. So I can't consider myself a cybersecurity expert. No, I cannot. I can't
[27:21.140 --> 27:27.800]  consider myself an aviation expert, for sure, but not a cyber. And we have to have disqualified
[27:27.800 --> 27:34.540]  people in aviation and cybersecurity. And this, obviously, you have a different process
[27:34.540 --> 27:41.660]  to achieve that through recruitment, through education, training. But one significant way
[27:41.660 --> 27:46.940]  to advance is through research. Research is very important. And that's why I decided to go back
[27:46.940 --> 27:52.240]  to the research community, and I've been doing research with these states. And as such, as part
[27:52.240 --> 27:58.520]  of the ICAO strategy, as part of the international strategy, we, the International Civil Aviation
[27:58.520 --> 28:05.280]  Organization, we encourage all these states to set up the appropriate mechanisms for cooperation
[28:05.280 --> 28:11.720]  with what we call the good faith, you know, the good faith research, which is basically the
[28:11.720 --> 28:17.540]  research activity that's carried out in an environment that is appropriate, and is designed
[28:17.540 --> 28:24.360]  to avoid affecting what we, for us as a part of all that is safe, the security, and like we are
[28:24.360 --> 28:30.760]  seeing nowadays, the continuity of operations. So, ICAO encourages states to do that approach.
[28:30.760 --> 28:38.120]  But obviously, again, we go back to the aspects of trust. They are different in different societies.
[28:38.120 --> 28:43.540]  There are different ways of cooperation. So, we have to encourage and help the states to do that,
[28:43.540 --> 28:49.300]  because at least from this area that we see nowadays, cybersecurity research is the one
[28:49.300 --> 28:54.920]  will allow us to advance faster and achieve the results that we want to keep safety and
[28:54.920 --> 29:00.300]  continuity of operations as we have been doing for the last 100 years.
[29:02.900 --> 29:07.640]  Thanks, I think that's a great answer and also gives me a lot to think about too, just in terms
[29:07.640 --> 29:13.140]  of how, you know, the point about everybody thinks about trust differently in different communities.
[29:13.140 --> 29:17.400]  And so, you know, when we say that, oh, it's important to build trust, you know, what does that
[29:17.400 --> 29:22.100]  actually mean to the different stakeholders in the different groups? Harley, I'd be interested to
[29:22.100 --> 29:29.500]  get your thoughts on this, as we talk about, you know, what needs to happen and where we need to go.
[29:30.240 --> 29:35.780]  From your perspective, you know, what are some things that the aviation industry can do to kind
[29:35.780 --> 29:43.080]  of build that bridge and that trust? So, first of all, I think the aviation industry,
[29:43.080 --> 29:47.280]  there's a number of things, but focusing just on the relationship with security researchers,
[29:47.560 --> 29:54.600]  mentioned a few things before, but it would really be helpful to have guidance for researchers on
[29:54.600 --> 30:00.660]  vulnerability disclosure. And this can come in the form, perhaps ideally, in the form of model
[30:00.660 --> 30:07.040]  guidance from the FAA. Essentially, something that tells people what the FAA wants them to do
[30:07.040 --> 30:12.560]  in a situation where they have a vulnerability to disclose. What is the mechanism for the FAA
[30:12.560 --> 30:18.760]  to know about a vulnerability, since it is, you know, just the FAA that can decide whether a
[30:18.760 --> 30:25.420]  vulnerability is safety critical. And unfortunately, there's a, you know, the alphabet soup
[30:25.420 --> 30:31.720]  of agencies in the United States kind of makes understanding what the agency roles are a bit
[30:31.720 --> 30:39.180]  difficult, right? So, FAA is safety critical features in aviation, but CISA and DHS is the
[30:39.180 --> 30:43.760]  lead cybersecurity agency. So what, you know, where do researchers go if they're trying to
[30:43.760 --> 30:48.720]  disclose? Is it both? You know, this is not something that researchers who, you know,
[30:48.720 --> 30:53.140]  are focused on technical subjects and not necessarily on managing government bureaucracy
[30:53.140 --> 30:57.160]  should have to try to figure out on their own. There should be clear public guidance about that.
[30:57.260 --> 31:03.660]  And FAA, in particular, can play a great role in leading the charge on distributing that type of
[31:03.660 --> 31:08.380]  guidance and encouraging industry stakeholders to do it as well. A note of caution, though,
[31:08.380 --> 31:14.680]  for the industry as well as for the FAA is that there may be an impulse to say, well, aviation is
[31:14.680 --> 31:20.500]  special because there is, you know, safety components. Well, true, but that also exists
[31:20.500 --> 31:26.040]  for vehicles. It exists for medical devices. This has been done before. It's not going to be viewed,
[31:26.040 --> 31:32.500]  you know, by researchers as being so special that they would willingly submit to a process that
[31:32.500 --> 31:38.500]  is completely locked down, right? So if you are looking at having a vulnerability disclosure
[31:38.500 --> 31:44.100]  process and having it completely under NDA and, you know, restricting the ability of researchers
[31:44.100 --> 31:49.060]  to do anything with their research or to disclose in the event of a disagreement and so forth,
[31:49.060 --> 31:53.840]  that could very well backfire. I think the research is going to happen sort of regardless.
[31:53.840 --> 31:58.320]  Many of these components can be purchased on the second-hand market. Certainly when it comes for
[31:58.320 --> 32:05.280]  unmanned aircrafts, those are increasingly easy to purchase. And so the research is going to happen,
[32:05.280 --> 32:09.100]  you know, the key is going to be building an engagement that both sides can live with,
[32:09.100 --> 32:12.780]  not one that locks down researchers and then violates the trust that you're supposed to be
[32:12.780 --> 32:18.820]  trying to build in the first place. So I think you bring up a really good point about, you know,
[32:18.820 --> 32:24.820]  the second-hand market and like the research is going to happen with or without the industry.
[32:24.820 --> 32:31.380]  And I wonder if, you know, from my perspective, I feel like that should change and
[32:31.380 --> 32:37.340]  there should be this, you know, we don't want you going to get older equipment or second-hand
[32:37.340 --> 32:41.060]  equipment that's already been used. We want you to get the stuff before it's being used to
[32:41.060 --> 32:47.040]  identify, you know, what challenges or problems, vulnerabilities lie within. And I wonder,
[32:47.040 --> 32:54.520]  you know, from both your perspective, where do you think that barrier comes from? And then from,
[32:54.520 --> 33:00.320]  Nikki or Salo's perspective, you know, why isn't industry or regulators like approving,
[33:00.320 --> 33:06.820]  oh yeah, we want you to take a look at these components before they get put into use. And
[33:06.820 --> 33:12.140]  I wonder if that's back to Salo's earlier point of digital transformation. It happened ahead of
[33:12.140 --> 33:18.300]  security, it appears in a lot of cases across many industries, but now we're trying to play
[33:18.300 --> 33:23.960]  that catch up. But it's, is it a fear that, oh, we've been using this stuff and we don't want to
[33:23.960 --> 33:29.680]  know what's, you know, vulnerable. And so I just, I'd love to get all three of your perspectives on,
[33:29.680 --> 33:34.980]  you know, what you think needs to happen to kind of stop that. Oh, we have to go somewhere else
[33:34.980 --> 33:41.460]  besides the source to get the information to do the research. So Kaylin, just one, one thing,
[33:41.460 --> 33:48.360]  I think that it's maybe important to note here. So ICAO have published a cyber security strategy,
[33:48.840 --> 33:52.720]  which was published fairly recently. Salo probably knows this better than I do.
[33:52.720 --> 33:57.880]  But, but one of the things that's clearly called out in there is that states should be
[33:58.980 --> 34:04.540]  enabling mechanisms so that good faith researchers can collaborate. So, you know,
[34:04.540 --> 34:09.540]  ICAO recognize the importance of that. Hopefully more states will be recognizing the importance
[34:09.540 --> 34:13.740]  of that. I mean, Harley, I, you know, I get your point. Sometimes it is confusing and it's not
[34:13.740 --> 34:18.880]  always clear who you're supposed to report what to. But I think it's, you know, hopefully that's
[34:18.880 --> 34:25.000]  something that that is a quick win that many states can implement fairly easily, you know,
[34:25.000 --> 34:30.400]  to start kind of building at least the mechanisms for reporting in. So just my two cents on that
[34:30.400 --> 34:35.960]  one. Hopefully that's something we can move forward. So I don't want to diminish the fine
[34:35.960 --> 34:41.340]  work of ICAO and others in producing those types of guidance. I mean, I guess part of the point is
[34:41.340 --> 34:46.520]  that states should implement that guidance. Yeah, yeah, totally agree, totally agree.
[34:47.860 --> 34:54.460]  Yeah, I know that, Harley, you have a good point. And I want to say from a global perspective,
[34:54.460 --> 35:00.900]  we cannot enforce. We have to encourage the states to take actions and help them
[35:00.900 --> 35:07.900]  to take the necessary actions. That's what the International Civil Aviation does. But I may
[35:07.900 --> 35:15.220]  have a different perspective from you when we talk about cooperation and collaboration at a
[35:15.220 --> 35:22.480]  global level. As I'm saying, I'm a researcher myself. And I see mainly in Europe, a lot of
[35:22.480 --> 35:28.500]  cooperation and cooperation going on a lot of coordination. I participate every year in some
[35:28.500 --> 35:33.400]  what we call innovation days in Europe, where we put all the research community together,
[35:33.400 --> 35:40.160]  and we discuss several subjects. And last year, I was there to talk about exactly this subject.
[35:40.160 --> 35:48.960]  And I see the community very engaged on that. I can't specify to you now to the community how
[35:48.960 --> 35:56.140]  this happens all over the world, state by state, because again, there are some regional differences,
[35:56.140 --> 36:01.760]  there are some national differences, there are some different ways to produce regulation and
[36:01.760 --> 36:08.180]  to deal with the research community. But from a global perspective, I can tell you that
[36:08.680 --> 36:15.900]  the cooperation is ongoing. Obviously, sometimes there are some, although you may not agree with
[36:15.900 --> 36:23.480]  that aviation is a special industry, but I keep saying the same thing that thousands of people die
[36:23.480 --> 36:29.620]  on car accidents every day. And nobody knows and nobody cares. If you have one aircraft who crashes
[36:29.620 --> 36:37.020]  for a small thing that could be and kill 50 people, it will be on the first page of any
[36:37.020 --> 36:44.360]  newspaper, it will be on the headlines of any television channel. So that's what we call
[36:46.200 --> 36:51.420]  aviation as a special industry, because we are doing something that goes against the nature,
[36:51.420 --> 36:56.840]  right? We're not made to fly, okay? We are not made to fly, and we fly, and we fly. We're doing
[36:56.840 --> 37:01.200]  something against the nature. So this calls the attention of the community, because we're doing
[37:01.200 --> 37:07.320]  something that is special. We are flying and we are not made to fly. So that calls attention. So
[37:07.320 --> 37:14.360]  sometimes in the aviation industry, we try to be very conservative in our approach, just to avoid
[37:15.140 --> 37:21.680]  people. I will use killing as an example. I don't want killing going on a holiday. I don't want you
[37:21.680 --> 37:32.540]  guys going to the airport thinking, oh my gosh, am I going to arrive to my destination today or not?
[37:32.880 --> 37:37.120]  We don't want you to think about that. I want you to go to the airport like you go today. You go
[37:37.120 --> 37:42.800]  there and say the maximum reward is my flight is going to be 30 minutes late, 10 minutes late,
[37:42.800 --> 37:47.960]  one hour late, but you never think about the safety of flight. You never think about that,
[37:47.960 --> 37:54.420]  because you know that our industry has a high level of safety and is very conservative. I have
[37:54.420 --> 37:59.740]  to be honest to you, and we are evolving, we are improving this, but we are very conservative
[38:00.280 --> 38:07.260]  because of the attention that the industry attracts from the media when something goes wrong.
[38:07.260 --> 38:15.060]  But I think I see the research community coming very, very closer to the aviation stakeholders
[38:15.060 --> 38:22.380]  and producing very good material. And I always give the example of Europe, although I'm not European,
[38:22.800 --> 38:29.020]  but I always give the example of Europe because I can see the cooperation going there. And I'm
[38:29.020 --> 38:35.580]  quite happy with the scenario that I see there in terms of cooperation, industry and research
[38:35.580 --> 38:41.780]  community. Just to clarify, so the comment about aviation not being special, that was more
[38:41.780 --> 38:46.240]  from the researcher's perspective on whether they're going to perform the research or not.
[38:46.240 --> 38:53.240]  I absolutely agree that the way the media handles safety issues with aviation is different from
[38:53.240 --> 38:59.080]  things like cars, like vehicles. And that is something that I think is important for
[38:59.080 --> 39:05.180]  researchers in particular to consider as they're conducting their research,
[39:05.180 --> 39:10.040]  and I think it requires special outreach from both the researcher as well as whoever's
[39:10.040 --> 39:16.040]  facilitating the disclosure, whether it's FAA or CISA, to help manage the media to avoid
[39:16.040 --> 39:22.000]  unnecessary sensationalism. And on the collaboration point, I don't want to sound
[39:22.000 --> 39:26.760]  all doom and gloom. Remember, I opened with saying that I do think it is changing. It is changing,
[39:26.760 --> 39:30.920]  and it's changing in a lot of different industries, aviation included. The fact that we have an
[39:30.920 --> 39:38.320]  aerospace village at DEFCON is proof positive of that. It's just there is a sense that it is
[39:38.320 --> 39:43.680]  lagging behind in some other industries, I do think medical devices being a really good example.
[39:44.160 --> 39:48.420]  But it is happening. The collaboration is increasing, and I do think that that's very positive.
[39:49.640 --> 39:54.100]  And Harley, I know that within, I believe, the last year, you know, your organization has
[39:54.100 --> 40:00.720]  worked with the aviation industry and the aerospace industry on a disclosure. And so I'd be
[40:00.720 --> 40:05.280]  interested just to get your perspective on that process, and if it was what you expected, or if
[40:05.280 --> 40:10.900]  it was better than you expected, or, you know, just kind of talk us through, you know, that process.
[40:11.100 --> 40:16.540]  Because I do think, you know, it gives a good picture of where things stand now, and hopefully
[40:16.540 --> 40:24.120]  where they'll go. Okay, well, so it's a happy story. It's a positive ending.
[40:25.920 --> 40:30.640]  And ultimately, you know, vulnerability disclosure ought to be a positive thing. It ought to be a,
[40:30.640 --> 40:36.340]  hey, we, you know, an independent genius found a security flaw, and worked with the industry,
[40:36.340 --> 40:40.640]  and worked with regulators, and now it's fixed, and everybody's safer. That's the ideal
[40:40.640 --> 40:46.980]  scenario. And ultimately, that's how it went for us. One of our brilliant researchers, Patrick
[40:46.980 --> 40:53.580]  Kiley, who is also a pilot, discovered a flaw in CANBUS. So, of course, that's, you know, the
[40:53.580 --> 40:59.300]  network standard that enables control over vehicle launches. And he demonstrated that it was possible
[40:59.300 --> 41:05.900]  to send false messages through CANBUS that could, among other things, display incorrect information
[41:06.360 --> 41:11.300]  to the pilots, such as compass, and altitude, and engine data. And that can have a serious
[41:11.300 --> 41:17.860]  impact. So, Rapid7 worked for about a year to coordinate the vulnerability disclosure with
[41:17.860 --> 41:22.320]  government agencies, as well as the industry. There wasn't, you know, like a single manufacturer
[41:22.320 --> 41:29.280]  whose CANBUS is used so widely. And it involved a lot of collaboration with the FAA, with CISA,
[41:29.300 --> 41:36.580]  and the aviation ISAC, and, as I mentioned, with the media. And honestly, our experience was a bit
[41:36.580 --> 41:44.980]  mixed. Initially, the ISAC and the FAA were inclined to dismiss the CANBUS flaw, because
[41:44.980 --> 41:53.100]  to exploit it required some level of physical access to the craft's wiring. But that could be
[41:53.100 --> 41:59.660]  done, for example, by compromising an existing device on the craft. But the ISAC and the FAA had
[41:59.660 --> 42:05.200]  argued that their physical security controls around aircraft prevented this from ever happening.
[42:05.340 --> 42:10.220]  And from our perspective, you know, this was us learning about this and learning, you know,
[42:10.220 --> 42:13.860]  learning more about the, you know, the unique other controls that are around aircraft,
[42:13.860 --> 42:18.120]  but also deciding that they were right that physical controls reduce the risk,
[42:18.120 --> 42:24.300]  but that physical controls alone were not a complete substitute for secure network design,
[42:24.300 --> 42:28.820]  and that relying just on physical security was unwise. And, you know, unfortunately, to be real
[42:28.820 --> 42:33.440]  frank, at least in the early days, it felt like the priority was avoiding that pressure of the
[42:33.440 --> 42:42.280]  industry. On the other hand, we found CISA, within DHS, to be excellent facilitators of the coordinated
[42:42.280 --> 42:47.540]  disclosure process. And they actually went out of their way to independently verify Rapid7's
[42:47.540 --> 42:53.080]  findings and to put out their own advisory on the CANBUS flaw. And this lent additional
[42:53.080 --> 42:57.360]  credibility to the seriousness of our research, which was ultimately helpful in getting buy-in
[42:57.920 --> 43:04.120]  from the industry, from the ISAC, from FAA. And importantly, Rapid7, we were also, you know,
[43:04.120 --> 43:10.440]  very responsible as researchers. We, you know, worked privately with these entities and worked
[43:10.440 --> 43:16.200]  under embargo with the media long before going public in order to put the findings into context
[43:16.200 --> 43:22.200]  and to note that the risk was reduced because of physical security controls to avoid sensationalism
[43:22.200 --> 43:28.180]  and so that we could come go out publicly when there was a greater understanding of what exactly
[43:28.180 --> 43:33.140]  the issue was and what mitigations were possible. And we recommend that, you know, researchers take
[43:33.280 --> 43:39.080]  a similarly cautious approach. And so in the end, in the end, after about a year of verification
[43:39.080 --> 43:45.060]  and coordination, the flaw was disclosed publicly in the white paper. There was not a ton of hype
[43:45.060 --> 43:49.520]  in the media, although it was acknowledged in the media, and we think it was ultimately a win
[43:49.520 --> 43:56.220]  for collaboration, coordinated disclosure, and the value of security research in avionics systems.
[43:58.810 --> 44:04.550]  Thanks, Harley, for walking us through that and in your experience. I am glad that we were
[44:04.550 --> 44:13.110]  able to end it on a happy note of success. Coming from, I'm a media communications person, so I do
[44:13.110 --> 44:20.390]  know how hard it is, you know, in the cybersecurity space, especially, you know, it's hard to get the
[44:20.390 --> 44:24.810]  stakeholders at an organization to get on board with, you know, talking to the media and doing
[44:24.810 --> 44:29.630]  things like that. And then, you know, that only helps to build trust. I mean, there's a great core
[44:29.630 --> 44:34.030]  of cybersecurity journalists out there who truly want to get the story right and they want to get
[44:34.030 --> 44:40.170]  the facts out there and they're not about sensationalism. And so I do think that, you
[44:40.730 --> 44:45.830]  is going to help this process in a lot more ways than once. I'm glad that you brought it up because
[44:45.830 --> 44:51.130]  I do think there are trusted, you know, media advocates out there that want to get it right
[44:51.130 --> 44:55.350]  because they want to see this happen more. They want to see, you know, the communities working
[44:55.350 --> 45:01.190]  together, research being disclosed, and then acted on. And so I'm really happy to hear about your
[45:01.190 --> 45:07.730]  process and the success that you guys had at Rapid7. We're running up a little bit on our
[45:07.730 --> 45:11.850]  allotted time. So I just want to make sure that each of you have, you know, a few minutes to say
[45:11.850 --> 45:18.130]  any final parting thoughts. And again, just thank you so much for taking the time. It's been just a
[45:18.130 --> 45:23.490]  pleasure speaking with you.
[45:23.490 --> 45:25.450]  Legs first.
[45:25.450 --> 45:31.090]  Thanks, Paulo. I was going to say, Harley, that's, you know, such a great example of Rapid7's
[45:31.090 --> 45:35.690]  research and your own research and such a positive outcome. And I think, you know, hopefully in
[45:35.690 --> 45:42.010]  future it won't take a year. Hopefully in future people on both sides will be more aware of, you
[45:42.010 --> 45:46.770]  know, the context and the environment and the requirements, the situation, so that those
[45:46.770 --> 45:52.030]  disclosures can happen faster and you can have, you know, an overall positive experience, not just
[45:52.030 --> 45:57.850]  like partially positive. But no, that sounds like really, really great work. And I just want to say
[45:57.850 --> 46:02.110]  thank you to the Aerospace Village for having this panel today. I think it's really positive.
[46:02.110 --> 46:07.010]  And I'd also like to thank the GoodFaith researchers out there. I think that their
[46:07.010 --> 46:13.090]  work is really, really important. You know, we do need it. The aviation industry needs it.
[46:13.130 --> 46:18.250]  And the only ask that I have is that they don't give up on building those bridges and they do
[46:18.250 --> 46:23.010]  reach out and they do try to get in touch. Because I know, you know, we as a regulator really do want
[46:23.010 --> 46:30.970]  to have those conversations. So thank you. Just like to thank you for the opportunity to be here
[46:30.970 --> 46:37.530]  with you guys. I really appreciate that. And we encourage the research community to come closer
[46:37.530 --> 46:46.310]  and closer to the regulators, to the avionics manufacturers and the aircraft manufacturers,
[46:46.310 --> 46:52.430]  because they all need the work the research community does. For example, in ICAO,
[46:52.430 --> 46:57.330]  you also need. The only difference is that papers presented to ICAO, most of the time,
[46:57.330 --> 47:02.050]  they are not scientific papers. They are more technical papers. So you have to
[47:02.050 --> 47:08.470]  adequate the language because the community is a very broad community that sometimes they will not
[47:08.470 --> 47:17.870]  get if you go on the scientific language. So I really encourage anybody to come to us
[47:17.870 --> 47:24.390]  and present whatever research you're doing. We are always open to receive information from
[47:24.390 --> 47:29.270]  different sources. And we really appreciate that. And we need that. As I said, I'm a researcher by
[47:29.270 --> 47:34.790]  myself. And I really appreciate when I have to cooperate with my peers in the academia and
[47:34.790 --> 47:41.070]  translate what they are saying into international civil aviation language and put to the community
[47:41.070 --> 47:45.290]  to be discussed. I really appreciate it. And thank you for the opportunity again.
[47:47.680 --> 47:55.520]  And they kind of said it all. So at the risk of repeating, but thank you very much for having
[47:55.760 --> 48:03.140]  us on the panel. Thanks for hosting the aerospace village at all and DEFCON. Thanks for working so
[48:03.140 --> 48:07.500]  hard to build bridges between these different communities. Also thank you to the security
[48:07.500 --> 48:12.420]  researchers for the work that they're doing. The aviation industry for slowly changing,
[48:12.420 --> 48:16.160]  for changing and accepting this community. I know that it's painful and they're not
[48:16.160 --> 48:23.280]  always the easiest community to deal with. And I guess one last thing, I suppose,
[48:23.280 --> 48:28.460]  it's kind of poignant that we're doing this remotely and that everybody's under a lot of
[48:28.460 --> 48:35.080]  stress and probably missing this annual gathering of such a unique and colorful community. So just
[48:35.080 --> 48:42.600]  much love to that community and stay safe. Thank you all so much. And yes, I hope to Harley's point
[48:42.600 --> 48:49.160]  that next year or the year after we can do this panel again and we can be in person and I can
[48:49.160 --> 48:53.940]  meet all of you. But thanks again from the aerospace village. We so appreciate your time
[48:53.940 --> 48:59.200]  and your insights and just have a great rest of your day. Thanks.
